summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch38
-rw-r--r--meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb1
2 files changed, 39 insertions, 0 deletions
diff --git a/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch
new file mode 100644
index 0000000000..ef2eb48d61
--- /dev/null
+++ b/meta-gnome/recipes-gimp/gimp/gimp/CVE-2025-5473.patch
@@ -0,0 +1,38 @@
1From 9e4ebb38ba85661ee62361f218d6c35ace502395 Mon Sep 17 00:00:00 2001
2From: Alx Sa <cmyk.student@gmail.com>
3Date: Sat, 3 May 2025 14:13:46 +0000
4Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation
5
6Resolves #13910
7Since ICO can store PNGs, it's possible to create an
8icon that's much larger than the stated image size and
9cause a buffer overflow.
10This patch adds a check to make sure the width * height * 4
11calculation does not overflow in addition to making sure it
12doesn't exceed the maximum allowed size for that icon.
13
14CVE: CVE-2025-5473
15Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/c855d1df60ebaf5ef8d02807d448eb088f147a2b]
16(cherry picked from commit c855d1df60ebaf5ef8d02807d448eb088f147a2b)
17Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
18---
19 plug-ins/file-ico/ico-load.c | 6 +++++-
20 1 file changed, 5 insertions(+), 1 deletion(-)
21
22diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
23index f44b805905..c144b6e2cd 100644
24--- a/plug-ins/file-ico/ico-load.c
25+++ b/plug-ins/file-ico/ico-load.c
26@@ -295,7 +295,11 @@ ico_read_png (FILE *fp,
27 png_read_info (png_ptr, info);
28 png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
29 NULL, NULL, NULL);
30- if (w*h*4 > maxsize)
31+ /* Check for overflow */
32+ if ((w * h * 4) < w ||
33+ (w * h * 4) < h ||
34+ (w * h * 4) < (w * h) ||
35+ (w * h * 4) > maxsize)
36 {
37 png_destroy_read_struct (&png_ptr, &info, NULL);
38 return FALSE;
diff --git a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
index 064a797986..36b0712976 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_2.10.38.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
49 file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \ 49 file://0001-libtool-Do-not-add-build-time-library-paths-to-LD_LI.patch \
50 file://CVE-2025-14422.patch \ 50 file://CVE-2025-14422.patch \
51 file://CVE-2025-14425.patch \ 51 file://CVE-2025-14425.patch \
52 file://CVE-2025-5473.patch \
52" 53"
53SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e" 54SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
54 55